How can critical infrastructure protect and defend against Conti?
The best way to defend against potential ransomware attacks is to deploy multiple layers of overlapping protective and defense measures and leverage an endpoint risk security program.
The endpoint approach uses OT-specific endpoint visibility and inventory techniques to gather asset information directly from the endpoints themselves and integrates with other security components to complete the security picture.
This process begins with technology that enables deep vendor-agnostic, endpoint visibility including 100% software inventories, full patch status on all the application software as well as OS, detailed and regular information on configuration settings, password and user/accounts, defensive tool status such as A/V, whitelisting, network configuration rules and settings to understand network defenses, and asset criticality based on process and network.
This “360-degree” view of risk allows the organization to define the most effective and efficient means of remediating risks and securing a given endpoint.
This program should include a lock down of OT systems to least privilege, patching as often as possible/if possible, with best-in-class cyber security tools like anti-virus and whitelisting and, of course, a robust backup plan. On top of that, these actions should be accompanied by other standard security processes such as user/account management, monitoring, and detection.
In our 25+ years of work on industrial systems, the largest gaps we see are in the management and maintenance of security. Firewalls may exist, but personnel have adjusted rule settings to allow remote access and created servers that route around critical protection layers. Patching policies may exist, but the manual tasks that are often standard do not get completed given the urgencies of operations. There is no central visibility of these gaps. Standard secure configurations may exist, but exceptions are made, users adjust them, new software is allowed, and ports are opened, leaving gaps in that secure structure. Availability of robust and timely backups can significantly reduce downtime in case of a ransomware attack. But are these backups up to date? Do they restore quickly? Without management, the backups you thought you had may not be ready “in case of emergency.”
The ability to consolidate the security status across all systems into a common database to track and ensure protections are maintained is critical to strong protections. Asset owners must patch, segment, harden configurations, ensure appropriate backups, and limit access to least privilege. These core, fundamental elements of security can be the difference between being a victim or not.
Then organizations should customize this program by looking at data on previous attacks (as mentioned above). In most of the recorded attacks orchestrated by Conti, it usually started with a basic phishing or spear phishing campaign. Then, using malicious attachments, Conti would use embedded scripts to get access to a computer using various weaknesses (as mentioned previously). From there, they move for the coveted data. 95% of OT/ICS attacks occur through the commodity IT equipment used in the environment. Defense requires visibility into all assets and integration to provide simple, but comprehensive coverage.
As for Indicators of compromise (IoCs) that are specific to Conti, organizations should be on high alert for unusual attempts to connect to Remote Desktops (RDP connection), fake software or “risky” software installed on the networks such as ZLoader, unusual traffic going in and out of the network (files and data that shouldn’t leave the network), and malware such as IcedID, TrickBot, or Cobaltstrike.
But as we know, detection is not enough. The integration of detection and response actions allow industrial organizations to significantly reduce the spread and cost of ransomware attacks.
Read the full version of the article here.
This article was written by Marc-Etienne Bergeron, ICS Security Manager, Verve Industrial.